rpms / wget

Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f7 f8 f9 main rawhide
  1.   f16
  2.   wget-1.12-tls_sni_support.patch
Blob Blame History Raw 
diff -up wget-1.12/src/gnutls.c.tls_sni_support wget-1.12/src/gnutls.c
--- wget-1.12/src/gnutls.c.tls_sni_support	2009-09-22 04:59:33.000000000 +0200
+++ wget-1.12/src/gnutls.c	2012-10-09 10:25:56.250371562 +0200
@@ -45,6 +45,7 @@ as that of the covered work.  */
 #include "connect.h"
 #include "url.h"
 #include "ssl.h"
+#include "host.h"
 
 /* Note: some of the functions private to this file have names that
    begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be
@@ -181,7 +182,7 @@ static struct transport_implementation w
 };
 
 bool
-ssl_connect (int fd)
+ssl_connect (int fd, const char *hostname)
 {
   static const int cert_type_priority[] = {
     GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0
@@ -191,6 +192,12 @@ ssl_connect (int fd)
   int err;
   gnutls_init (&session, GNUTLS_CLIENT);
   gnutls_set_default_priority (session);
+  /* We set the server name but only if it's not an IP address. */
+  if (! is_ip_address (hostname))
+    {
+      gnutls_server_name_set (session, GNUTLS_NAME_DNS,
+         hostname, strlen(hostname));
+    }
   gnutls_certificate_type_set_priority (session, cert_type_priority);
   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials);
   gnutls_transport_set_ptr (session, (gnutls_transport_ptr) fd);
diff -up wget-1.12/src/host.c.tls_sni_support wget-1.12/src/host.c
--- wget-1.12/src/host.c.tls_sni_support	2009-09-22 05:00:05.000000000 +0200
+++ wget-1.12/src/host.c	2012-10-09 10:21:19.617514313 +0200
@@ -904,3 +904,19 @@ host_cleanup (void)
       host_name_addresses_map = NULL;
     }
 }
+
+/* Determine whether or not a hostname is an IP address that we recognise. */
+bool
+is_ip_address (const char *name)
+{
+  const char *endp;
+
+  endp = name + strlen(name);
+  if (is_valid_ipv4_address (name, endp))
+    return true;
+#ifdef ENABLE_IPV6
+  if (is_valid_ipv6_address (name, endp))
+    return true;
+#endif
+  return false;
+}
diff -up wget-1.12/src/host.h.tls_sni_support wget-1.12/src/host.h
--- wget-1.12/src/host.h.tls_sni_support	2009-09-04 18:31:54.000000000 +0200
+++ wget-1.12/src/host.h	2012-10-09 10:21:19.617514313 +0200
@@ -102,4 +102,6 @@ bool sufmatch (const char **, const char
 
 void host_cleanup (void);
 
+bool is_ip_address (const char *);
+
 #endif /* HOST_H */
diff -up wget-1.12/src/http.c.tls_sni_support wget-1.12/src/http.c
--- wget-1.12/src/http.c.tls_sni_support	2009-09-22 05:02:18.000000000 +0200
+++ wget-1.12/src/http.c	2012-10-09 10:21:19.618514313 +0200
@@ -1762,7 +1762,7 @@ gethttp (struct url *u, struct http_stat
 
       if (conn->scheme == SCHEME_HTTPS)
         {
-          if (!ssl_connect_wget (sock))
+          if (!ssl_connect_wget (sock, u->host))
             {
               fd_close (sock);
               return CONSSLERR;
diff -up wget-1.12/src/openssl.c.tls_sni_support wget-1.12/src/openssl.c
--- wget-1.12/src/openssl.c.tls_sni_support	2012-10-09 10:21:19.000000000 +0200
+++ wget-1.12/src/openssl.c	2012-10-09 10:28:49.889226106 +0200
@@ -47,6 +47,7 @@ as that of the covered work.  */
 #include "connect.h"
 #include "url.h"
 #include "ssl.h"
+#include "host.h"
 
 /* Application-wide SSL context.  This is common to all SSL
    connections.  */
@@ -390,7 +391,7 @@ static struct transport_implementation o
    Returns true on success, false on failure.  */
 
 bool
-ssl_connect_wget (int fd)
+ssl_connect_wget (int fd, const char *hostname)
 {
   SSL *conn;
   struct openssl_transport_context *ctx;
@@ -401,6 +402,18 @@ ssl_connect_wget (int fd)
   conn = SSL_new (ssl_ctx);
   if (!conn)
     goto error;
+  #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+  /* If the SSL library was build with support for ServerNameIndication
+     then use it whenever we have a hostname.  If not, don't, ever. */
+  if (! is_ip_address (hostname))
+    {
+      if (! SSL_set_tlsext_host_name (conn, hostname))
+  {
+  DEBUGP (("Failed to set TLS server-name indication."));
+  goto error;
+  }
+    }
+#endif
   if (!SSL_set_fd (conn, fd))
     goto error;
   SSL_set_connect_state (conn);
diff -up wget-1.12/src/ssl.h.tls_sni_support wget-1.12/src/ssl.h
--- wget-1.12/src/ssl.h.tls_sni_support	2009-09-04 18:31:54.000000000 +0200
+++ wget-1.12/src/ssl.h	2012-10-09 10:21:19.620514313 +0200
@@ -33,7 +33,7 @@ as that of the covered work.  */
 #define GEN_SSLFUNC_H
 
 bool ssl_init (void);
-bool ssl_connect_wget (int);
+bool ssl_connect_wget (int, const char *);
 bool ssl_check_certificate (int, const char *);
 
 #endif /* GEN_SSLFUNC_H */
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.